b'Federal Information Security Management Act: Fiscal Year 2012 Evaluation\n(IG-13-001, October 10, 2012)\n\nThis annual report, submitted as a memorandum from the Inspector General to the NASA\nAdministrator, provides the Office of Inspector General\xe2\x80\x99s (OIG) independent assessment of\nNASA\xe2\x80\x99s information technology (IT) security posture. For FY 2012, the OIG adopted a risk-\nbased approach under which we reviewed a sample of 129 system components monitored by\nautomated tools across NASA and performed a manual review of five mission systems (two\nAgency internal and three external information systems).\n\nOverall, we found that NASA has established a program to address the challenges in each of the\nareas that the Office of Management and Budget (OMB) identified for this year\xe2\x80\x99s Federal\nInformation Security Management Act (FISMA) review. However, the Agency needs to make\nmore progress in addressing NASA\xe2\x80\x99s continuous monitoring management, configuration\nmanagement, and risk management issues.\n\nOur report addressed the 11 required areas of review for FY 2012 FISMA reporting:\n      \xe2\x80\xa2   Continuous Monitoring Management\n      \xe2\x80\xa2   Configuration Management\n      \xe2\x80\xa2   Identity and Access Management\n      \xe2\x80\xa2   Incident Response and Reporting\n      \xe2\x80\xa2   Risk Management\n      \xe2\x80\xa2   Security Training\n      \xe2\x80\xa2   Plan of Action and Milestones (POA&M)\n      \xe2\x80\xa2   Remote Access Management\n      \xe2\x80\xa2   Contingency Planning\n      \xe2\x80\xa2   Contractor Systems\n      \xe2\x80\xa2   Security Capital Planning\n\nThe OIG concluded that IT security will remain a significant challenge for the Agency as it moves\nfrom a compliance-focused, \xe2\x80\x9csnapshot\xe2\x80\x9d approach for measuring the security of its IT systems to\nusing tools and techniques to perform real-time monitoring. During FY 2013 and beyond, the OIG\nwill continue to assess NASA\xe2\x80\x99s IT security program through focused audits of discrete IT security\nissues, such as the security of mobile devices and cloud-computing technologies, as well as\nthrough our annual FISMA reviews.\n\nThe OMB will provide a consolidated report to Congress, which will include information from\nour report. However, as an \xe2\x80\x9cIntra-Agency Memorandum\xe2\x80\x9d our report is considered exempt from\nrelease under the Freedom of Information Act (FOIA); it also contains NASA Information\nTechnology/Internal Systems Data that is considered Sensitive But Unclassified and therefore not\nroutinely released under FOIA. To submit a FOIA request, see the online guide.\n\nOMB\xe2\x80\x99s report is made available over the Internet (last year\xe2\x80\x99s, Fiscal Year 2011 Report to\nCongress on the Implementation of The Federal Information Security Management Act of 2002,\nwas released by OMB in March 2012).\n\x0c'